LMDeploy is a toolkit for serving vision-language and text LLMs developed by Shanghai AI Laboratory, InternLM.an open-source toolkit for compressing, deploying and serving LLMs. The vulnerability tracked as CVE-2026-33626  with (CVSS score: 7.5),is Server-Side Request Forgery (SSRF) vulnerability can be exploited to access sensitive data has been exploited in the wild just 12 hours and 31 minutes after its public GitHub advisory went live.

On April 21, 2026, GitHub published advisory GHSA-6w67-hwm5-92mq, later assigned CVE-2026-33626, describing an SSRF issue in LMDeploy’s vision-language image loader.

Key findings & attack Module

Threat research team from Sysdig observed the first exploitation attempt against a honeypot running vulnerable LMDeploy was observed at 03:35 UTC on April 22, 2026, originating from IP address 103.116.72.119 in Kowloon Bay, Hong Kong.

The attacker within a single eight-minute session, used the vision-language image loader as a generic HTTP SSRF primitive to port-scan the internal network behind the model server and validated the bug before moving on.

AWS Instance Metadata Service (IMDS), Redis, MySQL, a secondary HTTP administrative interface, and an out-of-band (OOB) DNS exfiltration endpoint.

Versions before 0.12.3 use a vulnerable load_image() implementation that fetches arbitrary URLs from the image_url field without validating hostnames, IP ranges, or schemes.

This allows an attacker to coerce the model server into making HTTP requests into internal networks, cloud metadata services, or other protected endpoints that are not directly exposed to the internet.

During the eight-minute session, the attacker weaponized LMDeploy’s vision-image loader as a generic HTTP SSRF primitive rather than a one-off bug check.

Initial requests targeted AWS Instance Metadata Service (IMDS) at 169.254.169.254 to attempt IAM credential exfiltration, followed by probes against localhost Redis on port 6379 and MySQL on port 3306, as well as a likely secondary HTTP administrative interface on ports 8080 and 80.

 AI infrastructure attacks redesigning workflow

Attackers aren’t just using AI and they’re redesigning entire workflows around it. The real shift is where and how attacks happen, not just the tools involved.

LMDeploy vulnerability reflects a growing pattern in AI infrastructure attacks, where we see adversaries transforming advisory details directly into accounts beforehand public PoCs are declared.

Patching & Remediation

The patched release introduces stricter URL safety checks to block requests to link-local, loopback, and private RFC1918 ranges

This closes off the internal port-scanning and metadata-access vector.

Security teams running LMDeploy or similar AI inference stacks are urged to upgrade to LMDeploy v0.12.3 or later

Enforce IMDSv2 with token requirements on cloud instances, and restrict outbound egress from GPU and inference nodes to only necessary destinations such as object storage and logging endpoints.

As the exploitation observed within hours of disclosure, periodic patch cycles and slow response processes are increasingly insufficient for protecting AI-serving infrastructure from fast-moving SSRF-driven attacks.

Indicators of compromise:

IP	Location	ASN
103.116.72.119	Kowloon Bay, HK	AS400618 Prime Security Corp

The source IP may be a proxy, VPN endpoint, or cloud instance rented for the operation rather than the operator’s true origin.

Target URLs fetched by the SSRF

URL	Classification
http://169.254.169.254/latest/meta-data/iam/security-credentials/	AWS IMDSv1: IAM role credential exfiltration
http://127.0.0.1:6379	Loopback Redis
http://127.0.0.1:3306	Loopback MySQL
http://127.0.0.1:8080	Loopback secondary HTTP
http://127.0.0.1	Loopback HTTP (port 80)
http[://]cw2mhnbd.requestrepo.com	Blind-SSRF OOB confirmation

Sysdig team found out Runtime detection for this attack class sits in two layers:

The application layer and the host layer. 

At the application layer, any inference server that fetches URLs from user-supplied content should log the resolved IP of every outbound request and alert on requests to link-local (169.254.0.0/16), loopback (127.0.0.0/8, ::1), or RFC 1918 private ranges, as well as well-known service ports on those ranges (6379 Redis, 3306 MySQL, 5432 Postgres, 9200 Elasticsearch, 2375/2376 Docker).

At the host layer, runtime detection captures the post-exploitation symptom (an outbound connection to a cloud metadata endpoint from an inference process) regardless of framework. 

Sources: CVE-2026-33626: How attackers exploited LMDeploy LLM Inference Engines in 12 hours | Sysdig